Apache 漏洞列表

Apache ZooKeeper是一个开源的分布式协调服务，它用于维护配置信息、命名、提供分布式同步以及提供组服务。AdminServer是其中一个特性，提供了HTTP接口来供用户通过API访问ZooKeeper的相关命令。2024年11月，官方披露其在使用 IPAuthenticationProvider 时使用IP白名单进行认证的情况下，攻击者可伪造X-Forwarded-For头绕过相关验证。

Apache Linkis 是一个用于将上层应用与底层数据引擎解耦，提供标准化接口的中间件。Gateway 是 Linkis 接受客户端和外部请求的主要入口点，在 Apache Linkis 受影响版本中，由于在 Linkis Gateway 部署时产生的Token默认为LINKIS_CLI_TEST，攻击者可以利用该token绕过Linkis平台身份验证。

Apache storm存在未经授权的访问漏洞，攻击者可利用该漏洞未授权访问，从而获取敏感信息及进行未授权操作等。

Apache Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via for"m input beginning with a "%{" sequence and ending with a "}" character.

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.

In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized and will be evaluated as an OGNL expression against the value stack. This introduces the possibility to inject server side code.

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1 uses an unintentional expression in a Freemarker tag instead of string literals, which makes it susceptible to remote code execution attacks.

Remote code execution occurs in Apache Solr before 7.1 with Apache Lucene before 7.1 by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is vulnerable to remote command injection attacks through incorrectly parsing an attacker's invalid Content-Type HTTP header. The Struts vulnerability allows these commands to be executed under the privileges of the Web server.

The Struts 1 plugin in Apache Struts 2.1.x and 2.3.x might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical. app="mod_jk"

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn''t have value and action set and in same time, its upper package have no or wildcard namespace.

XXE injection (file disclosure) exploit for Apache OFBiz 16.11.04

2019 年 08 月 01 日，Apache Solr 官方发布预警，Apache Solr DataImport 功能 在开启 Debug 模式时，可以接收来自请求的”dataConfig”参数，这个参数的功能与data-config.xml 一样，不过是在开启 Debug 模式时方便通过此参数进行调试，并且 Debug 模式的开启是通过参数传入的。在 dataConfig 参数中可以包含 script 恶意脚本导致远程代码执行. app="APACHE-Solr"

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution.

Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication. app="APACHE-kylin"

Apache APISIX是一个高性能API网关。在用户未指定管理员Token或使用了默认配置文件的情况下，Apache APISIX将使用默认的管理员Token edd1c9f034335f136f87ad84b625c8f1，攻击者利用这个Token可以访问到管理员接口，进而通过script参数来插入任意LUA脚本并执行。

Apache Flink 1.5.1 is vulnerable to local file inclusion because of a REST handler that allows file uploads to an arbitrary location on the local file system through a maliciously modified HTTP HEADER. app="APACHE-Flink"

Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session. FOFA: Apache Airflow

Apache Struts 2.0.0 through Struts 2.5.25 is susceptible to remote code execution because forced OGNL evaluation, when evaluated on raw user input in tag attributes, may allow it.

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. fofa: port="8009" && protocol="ajp"

XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting issues in Apache OFBiz 17.12.03

Apache Druid is susceptible to remote code execution because by default it lacks authorization and authentication. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server. app="APACHE-Druid"

The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter. Prior to this bug getting fixed, it did not. This problem affects essentially all Solr versions prior to it getting fixed in 8.8.2.

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack Fofa: app="Apache_OFBiz" Hunter: app.name="OFBiz" ZoomEye: app:"Apache OFBiz"

该漏洞由于对CVE-2020-17530的修复不完整造成的，CVE-2020-17530漏洞是由于Struts2 会对某些标签属性(比如id) 的属性值进行二次表达式解析，因此当这些标签属性中使用了 %{x} 且 其中x 的值用户可控时，用户再传入一个 %{payload} 即可造成OGNL表达式执行。在CVE-2021-31805漏洞中，仍然存在部分标签属性会造成攻击者恶意构造的OGNL表达式执行，导致远程代码执行。 fofa: app="Struts2"

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

A flaw was found in Apache ShenYu Admin. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication. This issue affected Apache ShenYu 2.3.0 and 2.4.0 fofa: title=="ShenYu Gateway"

Apache 2.4.8 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773. server="Apache/2.4.49"

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Apache Superset up to and including 1.3.2 allowed for registered database connections password leak for authenticated users. This information could be accessed in a non-trivial way. Users should upgrade to Apache Superset 1.4.0 or higher. Fofa: app="APACHE-Superset"

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication. title="Apache APISIX Dashboard"

Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

Apache APISIX apisix/batch-requests plugin allows overwriting the X-REAL-IP header to RCE;An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed. Fofa: title="Apache APISIX Dashboard" Shodan: title:"Apache APISIX Dashboard"

Shodan: title:"Spark Master at" Fofa: title="Spark Master at"

Apache Superset会话验证漏洞，是由于未根据安装说明更改默认配置的SECRET_KEY，允许攻击者验证和访问未经授权的资源。Superset登陆成功页面跳转到/superset/welcome/，抓包更改session值即可成功绕过身份验证进入后台。 若失败则提示："Missing Authorization Header"，若响应包为："Not found"，不代表失败，直接携带session值访问/superset/welcome/即可成功进入后台； FOFA: app="APACHE-Superset"

Apache Spark 3.4.0之前版本存在命令注入漏洞，该漏洞源于如果ACL启用后，HttpSecurityFilter中的代码路径可以允许通过提供任意用户名来执行模拟，这将导致任意shell命令执行。 Fofa: app="APACHE-Spark-Jobs" ZoomEye: app:"Apache Spark Jobs"

当RocketMQ的NameServer组件暴露在外网时，并且缺乏有效的身份认证机制，那么攻击者可以利用更新配置功能，以RocketMQ运行的系统用户身份执行命令。 本次漏洞与CVE-2023-33246[1]不同的是，本次影响的是NameServer服务（默认9876端口），只要能访问到NameServer且该服务未开启身份认证可修改某些配置，就可实现远程命令执行，无需其他条件。 值得注意的是，即使升级到最新版本修复了漏洞，也强烈建议开启Broker、NameServer等组件的身份认证机制，未授权修改配置可能导致服务不可用等其他影响，故本次检测工具依旧是检测相关组件的未授权访问情况。 FOFA: port=9876 && protocol="rocketmq"

Apache ActiveMQ RCE Fofa:

Apache OFBiz是美国阿帕奇（Apache）基金会的一套企业资源计划（ERP）系统，提供了一整套基于Java的Web应用程序组件和工具。 Apache OFBiz 在 18.12.10 版本之前存在远程代码执行漏洞。由于 XML-RPC 已经不再维护，经过身份认证的攻击者可以利用 XML-RPC 进行远程代码执行利用，从而控制服务器。 FOFA: app="Apache_OFBiz" Hunter: app.name="OFBiz" ZoomEye: app:"Apache OFBiz"

Apache OFBiz是一个电子商务平台，用于构建大中型企业级、跨平台、跨数据库、跨应用服务器的多层、分布式电子商务类应用系统。 2024年8月，官方发布新版本修复了CVE-2024-38856 Apache OFBiz 代码执行漏洞，攻击者可构造恶意请求控制服务器。建议尽快修复漏洞。

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions- version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection. shodan-query: - http.favicon.hash:"1582430156" - http.html:"apache superset" fofa-query: - body="apache superset" - icon_hash=1582430156

Apache Solr 身份认证绕过漏洞(CVE-2024-45216)，该漏洞存在于Apache Solr的PKIAuthenticationPlugin中，该插件在启用Solr身份验证时默认启用。攻击者可以利用在任何Solr API URL路径末尾添加假结尾的方式，绕过身份验证访问任意路由，从而获取敏感数据或进行其他恶意操作。 fofa: app="APACHE-Solr"

允许未经身份验证的攻击者利用该漏洞实现任意文件读取，大多数据处理中间件或流式处理框架，如：Apache Spark Structured Streaming、Apache Druid等在应用中需要调用Kafka Connect组件，而这些服务会存储大量的核心业务系统敏感数据，一旦被攻击将造成更加严重的数据泄密。 fofa:header="Jetty" && body="kafka_cluster_id"

An Apache Ambari default admin login was discovered. default password: admin/admin FOFA: app="APACHE-Ambari"

An Apache Apisix default admin login was discovered. SHODAN: title:"Apache APISIX Dashboard" FOFA: title="Apache APISIX Dashboard"

Apache Druid default login information (admin/admin) was discovered. FOFA: title="druid monitor"

shodan: http.title:"Kafka Center" fofa: title="Kafka Center"

Apache Karaf contains a default login vulnerability. Default login credentials were detected. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. SHODAN: realm="karaf" FOFA: apache-karaf

Apache Ranger contains a default login vulnerability. An attacker can obtain access to user accounts and access sensitive information, modify data, and/or execute unauthorized operations. SHODAN: http.title:"Ranger - Sign In" FOFA: title="Ranger - Sign In"

shodan-query: title:"Apache Shiro Quickstart" fofa: title="Apache Shiro Quickstart"

An Apache Tomcat Manager panel was discovered. app="APACHE-Tomcat"

Apache NiFi Api未授权访问导致命令执行

Apache NiFi server was able to be accessed because no authentication was required. SHODAN: title:"NiFi" FOFA: title="nifi" && body="Did you mean"

Apache Zeppelin server was able to be accessed because no authentication was required. SHODAN: title:"Zeppelin" FOFA: title="Zeppelin"

Apache ZooKeeper was able to be accessed without any required authentication. fofa: port="2181" && protocol="zookeeper"

app="Apache Druid"

Fofa: app="Apache_OFBiz"

Fofa: app="Apache_OFBiz"

The programexport script in Apache ofbiz allows remote attackers to execute arbitrary code via a crafted request. Fofa: app="Apache_OFBiz" ZoomEye: app:"Apache OFBiz"

Detecting Apache OFbiz - CVE-2023-51467 authentication bypass vulnerability, xmlrpc deserialization command execution exploit Fofa: app="Apache_OFBiz" ZoomEye: app:"Apache OFBiz"

ApacheSolr是一个功能强大的开源搜索服务器，它支持REST风格API。在ApacheSolr未开启认证的情况下，攻击者可直接构造特定请求开启特定配置，并最终造成任意文件读取。 fofa-query: app="APACHE-Solr"

Apache Solr 身份认证绕过漏洞(CVE-2024-45216)，该漏洞存在于Apache Solr的PKIAuthenticationPlugin中，该插件在启用Solr身份验证时默认启用。攻击者可以利用在任何Solr API URL路径末尾添加假结尾的方式，绕过身份验证访问任意路由，从而获取敏感数据或进行其他恶意操作。 fofa: app="APACHE-Solr"

Fofa: app="APACHE-Solr"

Apache Struts2 S2-067漏洞是由于框架对特定请求处理不当导致的远程代码执行漏洞。攻击者可通过精心构造的恶意请求，利用/index.action路径上传恶意文件或执行任意代码。该漏洞主要影响未正确配置或使用过时版本的Struts2应用，尤其在文件上传功能中未严格过滤用户输入时风险加剧。

Apache CXF 是一个开源的 Web 服务框架，支持多种数据绑定方式，其中 Aegis 是 CXF 的一种数据绑定机制，该漏洞存在于 CXF 的 Aegis 数据绑定模块中，攻击者可以通过构造恶意的 SOAP 请求，利用 org.apache.cxf.aegis.databinding.AegisDatabinding 对 XML 数据的解析过程，触发服务器端请求伪造（SSRF），具体来说，当 CXF 服务端使用 Aegis 数据绑定方式处理 XML 输入时，攻击者可以注入特定的 XML 元素（如 &lt;test&gt; 标签），导致服务端向攻击者控制的 URL 发起 HTTP 请求，从而可能泄露内部网络信息或进一步利用内网漏洞进行攻击。

Apache Struts2是一个基于Java的开源Web应用框架。该漏洞源于在处理转换错误时评估字符串为OGNL表达式，导致远程攻击者可利用此漏洞借助无效的输入，修改run-time数据值，进而执行任意代码。此漏洞利用难度低且危害严重，可导致服务器完全失陷，建议企业立即升级至安全版本。

Apache ActiveMQ Artemis Console存在默认账号密码，攻击者可以登录后台获取敏感信息。

Apache OFBiz 18.12.16 之前的版本在 Linux 和 Windows 系统上存在未经身份验证的远程代码执行漏洞。

Apache OFBiz是一个用于构建企业级电子商务应用的平台。该漏洞由SSRF和信息泄露问题组成，攻击者可构造恶意请求绕过身份认证，获取敏感信息或发起服务端请求伪造攻击。由于该漏洞无需权限即可利用，可能导致关键业务数据泄露，建议企业立即升级至18.12.11或更高版本。

Apache Solr 是一个基于 Apache Lucene 的开源搜索平台。该漏洞存在于 Apache Solr 7.1 及以下版本中，攻击者可以通过利用 XML 外部实体（XXE）注入漏洞，结合 Config API 的 add-listener 命令，达到远程代码执行的目的。攻击者还可以通过 XML Query Parser 上传恶意数据或利用 Blind XXE 读取 Solr 服务器上的任意本地文件。

Apache Druid存在服务器请求伪造漏洞，攻击者可以直接访问的内部系统。

Apache HugeGraph-Server 存在 RCE（远程命令执行）漏洞。此问题影响 Apache HugeGraph-Server：Java8 和Java11 版本中 1.0.0 至 1.3.0 之前的版本。建议用户升级到 Java11 的 1.3.0 版本并启用身份验证系统

Apache Tomcat versions 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56, and 7.0.27 to 7.0.104 contain a vulnerability in the WebSocket module where the payload length of WebSocket frames is not correctly validated. This can lead to an infinite loop when processing frames with invalid payload lengths. Attackers can exploit this flaw by sending multiple malicious requests, resulting in a denial of service (DoS) on the affected Tomcat instance.

Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

Apache Tomcat 4.x through 7.x contains a cross-site scripting vulnerability which an attacker can use to execute arbitrary script in the browser of an unsuspecting user in the context of the affected site.

Apache Struts support in OpenSymphony XWork before 1.2.3, and 2.x before 2.0.4, as used in WebWork and Apache Struts, recursively evaluates all input as an Object-Graph Navigation Language (OGNL) expression when altSyntax is enabled, which allows remote attackers to cause a denial of service (infinite loop) or execute arbitrary code via for"m input beginning with a "%{" sequence and ending with a "}" character.

Apache Axis2, as used in dswsbobje.war in SAP BusinessObjects Enterprise XI 3.2, CA ARCserve D2D r15, and other products, has a default password of axis2 for the admin account, which makes it easier for remote attackers to execute arbitrary code by uploading a crafted web service.

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

Apache Struts before 2.3.1.1 is susceptible to remote code execution. When developer mode is used in the DebuggingInterceptor component, a remote attacker can execute arbitrary OGNL commands via unspecified vectors, which can allow for execution of malware, obtaining sensitive information, modifying data, and/or gaining full control over a compromised system without entering necessary credentials.. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.

Apache Struts is prone to multiple open-redirection vulnerabilities because the application fails to properly sanitize user-supplied input.

In Struts 2 before 2.3.15.1 the information following "action:", "redirect:", or "redirectAction:" is not properly sanitized and will be evaluated as an OGNL expression against the value stack. This introduces the possibility to inject server side code.

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when dynamic method invocation is enabled, allows remote attackers to execute arbitrary code via method: prefix (related to chained expressions).

Apache ActiveMQ 5.x before 5.14.0 allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request via the Fileserver web application.

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Apache CRLF injection allowing HTTP response splitting attacks on sites using mod_userdir.

Apache Tomcat versions before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 are vulnerable to remote code execution if JmxRemoteLifecycleListener is used and the JMX ports are exposed to attackers. The vulnerability exists due to inconsistent credential type handling, which was not aligned with the CVE-2016-3427 Oracle patch. Attackers with access to JMX ports can exploit this issue to execute arbitrary code remotely.

Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1 uses an unintentional expression in a Freemarker tag instead of string literals, which makes it susceptible to remote code execution attacks.

Apache Tomcat servers 7.0.{0 to 79} are susceptible to remote code execution. By design, you are not allowed to upload JSP files via the PUT method. This is likely a security measure to prevent an attacker from uploading a JSP shell and gaining remote code execution on the server. However, due to the insufficient checks, an attacker could gain remote code execution on Apache Tomcat servers that have enabled PUT method by using a specially crafted HTTP request.

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Apache Solr with Apache Lucene before 7.1 is susceptible to remote code execution by exploiting XXE in conjunction with use of a Config API add-listener command to reach the RunExecutableListener class. Elasticsearch, although it uses Lucene, is NOT vulnerable to this. Note that the XML external entity expansion vulnerability occurs in the XML Query Parser which is available, by default, for any query request with parameters deftype=xmlparser and can be exploited to upload malicious data to the /upload request handler or as Blind XXE using ftp wrapper in order to read arbitrary local files from the Solr server. Note also that the second vulnerability relates to remote code execution using the RunExecutableListener available on all affected versions of Solr.

Due to differences in the Erlang-based JSON parser and JavaScript-based JSON parser, it is possible in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to submit _users documents with duplicate keysfor 'roles' used for access control within the database, including the special case '_admin' role, that denotes administrative users. In combination with CVE-2017-12636 (Remote Code Execution), this can be used to give non-admin users access to arbitrary shell commands on the server as the database system user. The JSON parser differences result in behavior that if two 'roles' keys are available in the JSON, the second one will be used for authorizing the document write, but the first 'roles' key is used for subsequent authorization for the newly created user. By design, users can not assign themselves roles. The vulnerability allows non-admin users to give themselves admin privileges.

Apache httpd 2.4.0 to 2.4.29 is susceptible to arbitrary file upload vulnerabilities via the expression specified in <FilesMatch>, which could match '$' to a newline character in a malicious filename rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are externally blocked, but only by matching the trailing portion of the filename.

Apache Struts 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 is susceptible to remote command injection attacks. The Jakarta Multipart parser has incorrect exception handling and error-message generation during file upload attempts, which can allow an attacker to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header. This was exploited in March 2017 with a Content-Type header containing a #cmd= string.

Apache Struts 2.1.x and 2.3.x with the Struts 1 plugin might allow remote code execution via a malicious field value passed in a raw message to the ActionMessage.

The REST Plugin in Apache Struts 2.1.1 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type of filtering, which can lead to remote code execution when deserializing XML payloads.

Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 allows specially constructed requests to expose application functionality through the reverse proxy. It is also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn''t have value and action set and in same time, its upper package have no or wildcard namespace.

Apache Tomcat versions prior to 9.0.12, 8.5.34, and 7.0.91 are prone to an open-redirection vulnerability because it fails to properly sanitize user-supplied input.

Apache Tika versions 1.7 to 1.17 allow clients to send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients.

Apache ActiveMQ versions 5.0.0 to 5.15.5 are vulnerable to cross-site scripting via the web based administration console on the queue.jsp page. The root cause of this issue is improper data filtering of the QueueFilter parameter.

Apache Spark UI before 2.3.2 is vulnerable to XSS via unsanitized query string parameters in the /jobs/ endpoint.

Apache OFBiz 16.11.04 is susceptible to XML external entity injection (XXE injection).

In Apache Solr versions 5.0.0 to 5.5.5 and 6.0.0 to 6.6.5, the Config API allows to configure the JMX server via an HTTP POST request. By pointing it to a malicious RMI server, an attacker could take advantage of Solr's unsafe deserialization to trigger remote code execution on the Solr side.

Apache Solr is vulnerable to remote code execution vulnerabilities via the DataImportHandler, an optional but popular module to pull in data from databases and other sources. The module has a feature in which the whole DIH configuration can come from a request's "dataConfig" parameter. The debug mode of the DIH admin screen uses this to allow convenient debugging / development of a DIH config. Since a DIH config can contain scripts, this parameter is a security risk.

Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 are vulnerable to cross-site scripting because the SSI printenv command echoes user provided data without escaping. Note: SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation when evaluated on raw user input in tag attributes, which may lead to remote code execution.

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https-//codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https-//web.archive.org/web/20161228144344/https-//blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Apache HTTP Server versions 2.4.0 through 2.4.39 are vulnerable to a limited cross-site scripting issue affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL.

Apache Solr versions 5.0.0 to 8.3.1 are vulnerable to remote code execution vulnerabilities through the VelocityResponseWriter. A Velocity template can be provided through Velocity templates in a configset `velocity/ directory or as a parameter. A user defined configset could contain renderable, potentially malicious, templates. Parameter provided templates are disabled by default, but can be enabled by setting `params.resource.loader.enabled by defining a response writer with that setting set to `true`. Defining a response writer requires configuration API access. Solr 8.4 removed the params resource loader entirely, and only enables the configset-provided template rendering when the configset is `trusted` (has been uploaded by an authenticated user).

Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. This issue affected Apache Dubbo 2.7.0 to 2.7.4, 2.6.0 to 2.6.7, and all 2.5.x versions.

Apache Unomi allows conditions to use OGNL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process, enabling attackers to execute arbitrary code.

Apache Airflow versions 1.10.10 and below are vulnerable to remote code/command injection vulnerabilities in one of the example DAGs shipped with Airflow. This could allow any authenticated user to run arbitrary commands as the user running airflow worker/scheduler (depending on the executor in use).

Apache HTTP Server 2.4.32 to 2.4.44 contains an info disclosure and possible remote code execution caused by a vulnerability in mod_proxy_uwsgi, letting remote attackers access sensitive information and potentially execute arbitrary code, exploit requires sending crafted requests.

Apache Cocoon 2.1.12 is susceptible to XML injection. When using the StreamGenerator, the code parses a user-provided XML. A specially crafted XML, including external system entities, can be used to access any file on the server system.

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha have one REST API which exposed Kylin's configuration information without authentication.

Apache Unomi allows conditions to use OGNL and MVEL scripting which offers the possibility to call static Java classes from the JDK that could execute code with the permission level of the running Java process. This vulnerability affects all versions of Apache Unomi prior to 1.5.2.

Apache APISIX 1.2, 1.3, 1.4, and 1.5 is susceptible to insufficiently protected credentials. An attacker can enable the Admin API and delete the Admin API access IP restriction rules. Eventually, the default token is allowed to access APISIX management data.

Apache Flink 1.5.1 is vulnerable to local file inclusion because of a REST handler that allows file uploads to an arbitrary location on the local file system through a maliciously modified HTTP HEADER.

Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process (aka local file inclusion).

Apache Airflow prior to 1.10.14 contains an authentication bypass vulnerability via incorrect session validation with default configuration. An attacker on site A can access unauthorized Airflow on site B through the site A session.

Apache Struts 2.0.0 through Struts 2.5.25 is susceptible to remote code execution because forced OGNL evaluation, when evaluated on raw user input in tag attributes, may allow it.

Apache OFBiz 16.11.01 to 16.11.07 is vulnerable to cross-site scripting because data sent with contentId to /control/stream is not sanitized.

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Apache OFBiz 17.12.03 contains cross-site scripting and unsafe deserialization vulnerabilities via an XML-RPC request.

Apache Druid is susceptible to remote code execution because by default it lacks authorization and authentication. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.

Apache OFBiz has unsafe deserialization prior to 17.12.06. An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz.

Apache Tapestry contains a critical unauthenticated remote code execution vulnerability. Affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0. Note that this vulnerability is a bypass of the fix for CVE-2019-0195. Before that fix it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL.

Apache Solr versions 8.8.1 and prior contain a server-side request forgery vulnerability. The ReplicationHandler (normally registered at "/replication" under a Solr core) in Apache Solr has a "masterUrl" (also "leaderUrl" alias) parameter that is used to designate another ReplicationHandler on another Solr core to replicate index data into the local core. To prevent a SSRF vulnerability, Solr ought to check these parameters against a similar configuration it uses for the "shards" parameter.

Apache OFBiz has unsafe deserialization prior to 17.12.07 version An unauthenticated user can perform an RCE attack

Apache OFBiz before 17.12.07 is susceptible to arbitrary code execution via unsafe deserialization. An attacker can modify deserialized data or code without using provided accessor functions.

Apache Struts2 S2-062 is vulnerable to remote code execution. The fix issued for CVE-2020-17530 (S2-061) was incomplete, meaning some of the tag's attributes could still perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax.

Apache Druid ingestion system is vulnerable to local file inclusion. The InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

Apache ShenYu 2.3.0 and 2.4.0 allow Admin access without proper authentication. The incorrect use of JWT in ShenyuAdminBootstrap allows an attacker to bypass authentication.

Apache Airflow Airflow >=2.0.0 and <2.1.3 does not protect the variable import endpoint which allows unauthenticated users to hit that endpoint to add/modify Airflow variables used in DAGs, potentially resulting in a denial of service, information disclosure or remote code execution.

Apache 2.4.48 and below contain an issue where uri-path can cause mod_proxy to forward the request to an origin server chosen by the remote user.

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions.

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49 and 2.4.50. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts. In certain configurations, for instance if mod_cgi is enabled, this flaw can lead to remote code execution. This issue only affects Apache 2.4.49 and 2.4.50 and not earlier versions. Note - CVE-2021-42013 is due to an incomplete fix for the original vulnerability CVE-2021-41773.

Apache Log4j2 <=2.14.1 JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled.

Apache Superset through 1.3.2 contains a default login vulnerability via registered database connections for authenticated users. An attacker can obtain access to user accounts and thereby obtain sensitive information, modify data, and/or execute unauthorized operations.

Apache Log4j2 Thread Context Lookup Pattern is vulnerable to remote code execution in certain non-default configurations.

In Apache APISIX Dashboard before 2.10.1, the Manager API uses two frameworks and introduces framework `droplet` on the basis of framework `gin.' While all APIs and authentication middleware are developed based on framework `droplet`, some API directly use the interface of framework `gin` thus bypassing their authentication.

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache ShardingSphere ElasticJob-UI allows an attacker who has guest account to do privilege escalation. This issue affects Apache ShardingSphere ElasticJob-UI Apache ShardingSphere ElasticJob-UI 3.x version 3.0.0 and prior versions.

Apache ShenYu suffers from an unauthorized access vulnerability where a user can access /plugin api without authentication. This issue affected Apache ShenYu 2.4.0 and 2.4.1.

A default configuration of Apache APISIX (with default API key) is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different from the data panel, the impact is lower. But there is still a risk to bypass the IP restriction of Apache APISIX's data panel. There is a check in the batch-requests plugin which overrides the client IP with its real remote IP. But due to a bug in the code, this check can be bypassed.

Apache Airflow prior to version 2.2.4 is vulnerable to OS command injection attacks because some example DAGs do not properly sanitize user-provided parameters, making them susceptible to OS Command Injection from the web UI.

Apache Spark UI is susceptible to remote command injection. ACLs can be enabled via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow impersonation by providing an arbitrary user name. An attacker can potentially reach a permission check function that will ultimately build a Unix shell command based on input and execute it, resulting in arbitrary shell command execution. Affected versions are 3.0.3 and earlier, 3.1.1 to 3.1.2, and 3.2.0 to 3.2.1.

Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.

The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset administrators who have changed the default value for SECRET_KEY config.

Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10.

Exposure of Sensitive Information to an Unauthorized Actor Vulnerability in Apache Solr. The Solr Metrics API publishes all unprotected environment variables available to each Apache Solr instance. Users can specify which environment variables to hide, however, the default list is designed to work for known secret Java system properties. Environment variables cannot be strictly defined in Solr, like Java system properties can be, and may be set for the entire host,unlike Java system properties which are set per-Java-proccess.

Arbitrary file properties reading vulnerability in Apache Software Foundation Apache OFBiz when user operates an uri call without authorizations. The same uri can be operated to realize a SSRF attack also without authorizations. Users are recommended to upgrade to version 18.12.11, which fixes this issue.

The vulnerability allows attackers to bypass authentication to achieve a simple Server-Side Request Forgery (SSRF)

Apache HugeGraph-Server is an open-source graph database that provides a scalable and high-performance solution for managing and analyzing large-scale graph data. It is commonly used in Java8 and Java11 environments. However, versions prior to 1.3.0 are vulnerable to a remote command execution (RCE) vulnerability in the gremlin component.

Apache StreamPipes from version 0.69.0 through 0.93.0 uses a cryptographically weak Pseudo-Random Number Generator (PRNG) in the recovery token generation mechanism. Given a valid token it's possible to predict all past and future generated tokens.

File read and write vulnerability in Apache DolphinScheduler, authenticated users can illegally access additional resource files. This issue affects Apache DolphinScheduler from 3.1.0 before 3.2.2.

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.13

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.14. Users are recommended to upgrade to version 18.12.14, which fixes the issue.

SSRF in Apache HTTP Server on Windows allows to potentially leak NTML hashes to a malicious server via SSRF and malicious requests or content Users are recommended to upgrade to version 2.4.60 which fixes this issue. Note- Existing configurations that access UNC paths will have to configure new directive "UNCList" to allow access during request processing.

Encoding problem in mod_proxy in Apache HTTP Server 2.4.59 and earlier allows request URLs with incorrect encoding to be sent to backend services, potentially bypassing authentication via crafted requests.

Improper Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints).

An SQL Injection vulnerability in Apache Superset exists due to improper neutralization of special elements used in SQL commands. Specifically, certain engine-specific functions are not checked, which allows attackers to bypass Apache Superset's SQL authorization. To mitigate this, a new configuration key named DISALLOWED_SQL_FUNCTIONS has been introduced. This key disallows the use of the following PostgreSQL functions- version, query_to_xml, inet_server_addr, and inet_client_addr. Additional functions can be added to this list for increased protection.

The CloudStack SAML authentication (disabled by default) does not enforce signature check. In CloudStack environments where SAML authentication is enabled, an attacker that initiates CloudStack SAML single sign-on authentication can bypass SAML authentication by submitting a spoofed SAML response with no signature and known or guessed username and other user details of a SAML-enabled CloudStack user-account

Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server

Solr instances using the PKIAuthenticationPlugin, which is enabled by default when Solr Authentication is used, are vulnerable to Authentication bypass.A fake ending at the end of any Solr API URL path, will allow requests to skip Authentication while maintaining the API contract with the original URL Path.This fake ending looks like an unprotected API path, however it is stripped off internally after authentication but before API routing.This issue affects Apache Solr- from 5.3.0 before 8.11.4, from 9.0.0 before 9.7.0.

Apache OFBiz below 18.12.16 is vulnerable to unauthenticated remote code execution on Linux and Windows. An attacker with no valid credentials can exploit missing view authorization checks in the web application to execute arbitrary code on the server

This vulnerability allows remote attackers to bypass authentication on affected installations of Apache Pinot. Authentication is not required to exploit this vulnerability.The specific flaw exists within the AuthenticationFilter class. The issue results from insufficient neutralization of special characters in a URI. An attacker can leverage this vulnerability to bypass authentication on the system.

Apache NiFi 1.10.0 through 2.0.0 are missing fine-grained authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers, when creating new Process Groups. Creating a new Process Group can include binding to a Parameter Context, but in cases where the Process Group did not reference any Parameter values, the framework did not check user authorization for the bound Parameter Context. Missing authorization for a bound Parameter Context enabled clients to download non-sensitive Parameter values after creating the Process Group.

Path Equivalence- 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid.This issue affects all previous Druid versions.When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid's out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue.

Apache ActiveMQ is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Users are recommended to upgrade to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which fixes this issue.

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.

An issue was found in Apache Airflow versions 1.10.10 and below. When using CeleryExecutor, if an attacker can connect to the broker (Redis, RabbitMQ) directly, it is possible to inject commands, resulting in the celery worker running arbitrary commands.

When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

Apache HugeGraph-Server versions prior to 1.5.0 contain an authentication bypass vulnerability caused by assumed-immutable data. This flaw allows attackers to bypass authentication mechanisms without requiring specific privileges or user interaction.

Apache ActiveMQ 是基于 Java Message Service (JMS) 的开源消息中间件。Jolokia通过REST API提供了JMX over HTTP的能力。受影响版本中，由于ActiveMQ集成了Jolokia并未对 Jolokia JMX REST API 和 Message REST API 添加身份校验，未授权的攻击者可利用暴露的API与消息代理进行交互，或者使用 Message REST API 发送和接收消息，甚至清除或删除消息队列和主题。

Apache Pinot 1.3 版本以下存在认证绕过漏洞，攻击者可构造恶意请求绕过相关权限认证，调用相关后台功能，造成敏感信息泄漏等。

Apache Pinot 1.0 版本以下存在敏感信息泄露漏洞，攻击者可构造恶意请求获取服务器敏感信息。

Apache Pinot 1.3 版本以下存在swagger-ui未授权访问漏洞，攻击者可利用该漏洞构造恶意请求接口造成服务器敏感信息泄露。

Apache Kafka是一款开源的分布式事件流平台，广泛用于高性能数据管道、流式分析和数据集成。该漏洞源于Apache Kafka Client在配置SASL/OAUTHBEARER连接时，对sasl.oauthbearer.token.endpoint.url和sasl.oauthbearer.jwks.endpoint.url参数的安全控制存在缺陷。攻击者可通过构造恶意URL参数，利用该缺陷实现任意文件读取或发起SSRF请求（访问非预期目标地址）。

Apache Struts 2.0.0 至 6.4.0之前的版本中的文件上传逻辑存在缺陷。攻击者可以通过操纵文件上传参数实现路径遍历，并在某些情况下上传恶意文件，从而执行远程代码。

Apache OFBiz 是一个开源的企业资源计划 (ERP) 系统，提供了多种业务管理功能。Apache OFBiz 的 /webtools/control/forgotPassword;/ProgramExport 接口存在路径遍历漏洞，可能导致远程代码执行。该漏洞影响 Apache OFBiz 18.12.13 之前的版本，攻击者可以通过该漏洞执行恶意代码，危害系统安全。

Apache Zeppelin shell 代码注入漏洞，攻击者可利用Zeppelin 中的shell功能执行任意命令。

Apache Pinot 是一个实时分布式的 OLAP 数据存储和分析系统。使用它实现低延迟可伸缩的实时分析。Pinot 从离线数据源（包括 Hadoop 和各类文件）和在线数据源（如 Kafka）中攫取数据进行分析。 由于配置不当，Apache Pinot 存在未授权访问漏洞。

Langflow的/validate/code接口存在远程代码执行漏洞（CVE-2025-3248）。该漏洞源于系统未能对用户提交的Python代码片段实施有效的安全沙箱隔离或严格过滤机制，导致攻击者可以通过构造特殊代码注入系统命令（如使用os.system()或子进程调用函数）。此漏洞影响Langflow1.2.0及之前的所有版本，CVSS 3.1评分为9.8分（属于高危漏洞）。建议用户立即升级到最新修复版本，或者临时禁用动态代码验证功能作为缓解措施。

LangFlow 是一款基于 Python 的低代码可视化 AI 应用构建工具，专注于多智能体人工智能（Multi-Agent AI）、提示工程（Prompt Engineering）和检索增强生成（RAG, Retrieval-Augmented Generation）应用的开发。1.3.0之前的Langflow版本存在远程代码执行漏洞，攻击者可以通过/api/v1/validate/code端点发送精心构造的HTTP请求，执行任意代码。

Apache HertzBeat 是一款开源的实时监控告警工具，支持对操作系统、中间件、数据库等多种对象进行监控，并提供 Web 界面进行管理。Apache HertzBeat系统平台存在弱口令漏洞。攻击者可以通过使用默认的弱口令登录管理平台，进而获取系统的管理权限，可能导致敏感信息泄露、设备配置被篡改等安全问题。

Apache Tomcat 是一个开源的 Java Servlet 容器，广泛用于运行基于 Java 的 Web 应用程序。该漏洞（CVE-2025-24813）允许远程攻击者通过特定的恶意请求在目标系统上执行任意命令，从而完全控制受影响的服务器。

Apache Tomcat是美国阿帕奇（Apache）基金会的一款轻量级Web应用服务器。用于实现对Servlet和JavaServer Page（JSP）的支持。 Apache Tomcat 11.0.0-M1至11.0.2版本、10.1.0-M1至10.1.34版本和9.0.0.M1至9.0.98版本存在环境问题漏洞。攻击者利用该漏洞可以远程执行代码或泄露敏感信息。

osuuu LightPicture 1.2.2 存在未授权文件上传漏洞。攻击者可以利用该漏洞上传任意PHP文件至服务器，从而执行任意PHP代码，获取服务器权限。